User: Password:
|
|
Subscribe / Log in / New account

Security

The OpenLiberty Project

January 24, 2007

This article was contributed by Jake Edge.

A buzzword dense press release announcing a new open source project for 'identity management' is hardly the kind of thing to set hearts to racing. The release did succeed on one level, however, as it made us wonder what the openLiberty project is and what it can do for open source developers. Follow along as we try to shed some light on the world of internet identities and the standards, protocols and organizations involved.

An 'internet identity' means different things to different people; often depending on how they want to use this identity information. A website owner that allows comments has much less strict requirements for what an identity is than a hospital or stock broker might have. Some identities need to be tied to specific individuals, those used for e-commerce, for instance, whereas others can have pseudonymity. Privacy concerns also play a role in that a user does not necessarily always want to provide the same information to all parties they want to establish an identity with; LWN should not (and does not) require your government ID number in order for one to post comments here, but a stock broker might very well need it.

The sponsor of openLiberty is the Liberty Alliance, which is a consortium of vendors that seeks to provide standards for identity-based web services. This organization was started by Sun Microsystems in 2001 as a competitor to Microsoft's Passport (aka Windows Live ID) single sign-on system. At the time, many were concerned that Microsoft would become the gatekeeper of internet identity management and that would likely guarantee that competitors were locked out. Sun put together around 30 vendors and some ideas they had been working on to form the alliance with the plan to provide open, standards-based solutions for identity management.

Since that time, the alliance has come out with various specifications for what is, by all accounts, a complex, centralized system for identity management based around Security Assertion Markup Language (SAML). SAML is an emerging OASIS standard that describes the protocol for identity providers to communicate with service providers to authenticate users. The alliance system is popular with larger organizations that typically have tighter requirements for identity management. Websites and services that have simpler needs have largely used OpenID (LWN article here) to facilitate single sign-on.

The openLiberty project is an attempt to attract more interest, especially from the open source community, in the Liberty system, presumably to help drive more adoption. The website is a portal geared towards developing open source libraries to implement various alliance specifications. The first project is a java client library implementing the Identity Web Services Framework (ID-WSF) to provide single sign-on and other identity-enabled web services. The portal has all the expected features: a blog, a wiki, a mailing list, a source code repository (hosted by sourceforge), etc.

As might be expected of a project that has just been announced, there are few messages in the mailing list archive and the participant list appears to be largely made up of Liberty Alliance members. Based on the wealth of information available on the website, the project has already done a lot of the groundwork to establish the portal. It remains to be seen if it attracts a significant number of non-allied developers. Choosing a java client library to start would seem to eliminate some sizable portion of interested parties; other languages are on the roadmap and that might be enough to lure in non-java developers.

An interesting convergence of identity management solutions seems to be going on in the background right now. Proponents of the different systems all see the benefits of interoperability and there appear to be some efforts underway to allow OpenID and Liberty to work together. There is even talk that Microsoft may join the party and make some kind of effort to interoperate with Liberty.

There are clear benefits to users in having one system to manage their internet identity (or identities) across the universe of web services they might wish to use. Simplicity of implementation for web service providers and differing levels of security for different classes of service are also good features to have. One of the ways to get there is by having competing systems that can interoperate relatively transparently and it seems like we may be headed in that direction.

Comments (1 posted)

New vulnerabilities

centericq: buffer overflow

Package(s):centericq CVE #(s):CVE-2007-0160
Created:January 24, 2007 Updated:January 24, 2007
Description: The code in centericq which interfaces with the LiveJournal service suffers from a buffer overflow. This vulnerability is exploitable if a user can be convinced to connect to an unofficial LiveJournal server.
Alerts:
Gentoo 200701-20 centericq 2007-01-24

Comments (none posted)

ed: symlink attack

Package(s):ed CVE #(s):CVE-2006-6939
Created:January 19, 2007 Updated:January 24, 2007
Description: GNU ed before 0.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files, possibly in the open_sbuf function.
Alerts:
rPath rPSA-2007-0012-1 ed 2007-01-23
Fedora FEDORA-2007-100 ed 2007-01-18
Fedora FEDORA-2007-099 ed 2007-01-18

Comments (none posted)

gtk2: denial of service

Package(s):gtk2 CVE #(s):CVE-2007-0010
Created:January 24, 2007 Updated:February 8, 2007
Description: From the Red Hat advisory: A bug was found in the way the gtk2 GdkPixbufLoader() function processed invalid input. Applications linked against gtk2 could crash if they loaded a malformed image file.
Alerts:
Mandriva MDKSA-2007:039 gtk+2.0 2007-02-07
Ubuntu USN-415-1 gtk+2.0 2007-02-01
Debian DSA-1256-1 gtk+2.0 2007-01-31
SuSE SUSE-SR:2007:002 neon, gtk2, smb4k, amarok, jboss4 2007-01-26
rPath rPSA-2007-0019-1 gtk 2007-01-25
Red Hat RHSA-2007:0019-02 gtk2 2007-01-24

Comments (1 posted)

java: multiple vulnerabilities

Package(s):java CVE #(s):CVE-2006-4339 CVE-2006-4790 CVE-2006-6731 CVE-2006-6736 CVE-2006-6737 CVE-2006-6745
Created:January 18, 2007 Updated:June 4, 2010
Description: java has multiple vulnerabilities, these include: an RSA exponent padding attack vulnerability, two vulnerabilities which allow untrusted applets to access data in other applets, vulnerabilities that involve applets gaining privileges due to serialization bugs in the JRE and buffer overflows in the java image handling routines that can give attackers read/write/execute capabilities for local files.
Alerts:
Gentoo 201408-19 openoffice-bin 2014-08-31
Pardus 2010-67 openoffice 2010-06-04
Gentoo 200705-20 blackdown java 2007-05-26
Red Hat RHSA-2007:0073-01 java 2007-02-09
Red Hat RHSA-2007:0072-01 ibmjava2 2007-02-08
Red Hat RHSA-2007:0062-02 java-1.4.2-ibm 2007-02-07
Gentoo 200701-15 Sun JDK/JRE 2007-01-22
SuSE SUSE-SA:2007:010 IBMJava2 2007-01-18

Comments (1 posted)

netrik: insufficient escaping

Package(s):netrik CVE #(s):CVE-2006-6678
Created:January 22, 2007 Updated:January 24, 2007
Description: It has been discovered that netrik, a text mode WWW browser with vi like keybindings, doesn't properly sanitize temporary filenames when editing textareas which could allow attackers to execute arbitrary commands via shell metacharacters.
Alerts:
Debian DSA-1251-1 netrik 2007-01-21

Comments (none posted)

poppler: denial of service

Package(s):poppler CVE #(s):CVE-2007-0104
Created:January 18, 2007 Updated:January 26, 2007
Description: Poppler, a PDF loader library does not limit the recursion depth of the page model tree. If an attacker can trick a user into opening a specially crafted PDF file, an infinite loop can be caused, leading to a crash of the calling application. This also affects kdegraphics and koffice.
Alerts:
Ubuntu USN-410-2 tetex-bin 2007-01-25
rPath rPSA-2007-0013-1 poppler 2007-01-23
Mandriva MDKSA-2007:024 kdegraphics 2007-01-22
Mandriva MDKSA-2007:022 tetex 2006-01-18
Mandriva MDKSA-2007:021 xpdf 2007-01-18
Mandriva MDKSA-2007:020 poppler 2007-01-18
Mandriva MDKSA-2007:019 pdftohtml 2006-01-18
Mandriva MDKSA-2007:018 koffice 2007-01-18
Ubuntu USN-410-1 kdegraphics, koffice, poppler 2007-01-18

Comments (none posted)

squid: denial of service

Package(s):squid CVE #(s):CVE-2007-0247
Created:January 18, 2007 Updated:January 26, 2007
Description: Squid, a web client proxy caching server, can be made to crash when receiving certain FTP listings, leading to a denial of service.
Alerts:
Gentoo 200701-22 squid 2007-01-25
Ubuntu USN-414-1 squid 2007-01-24
Mandriva MDKSA-2007:026 squid 2006-01-23
SuSE SUSE-SA:2007:012 squid 2007-01-23
Trustix TSLSA-2007-0003 bzip2, kerberos5, squid, wget, xorg-x11 2007-01-19
Fedora FEDORA-2007-092 squid 2007-01-17

Comments (1 posted)

xine: format string vulnerabilities

Package(s):xine CVE #(s):CVE-2007-0017
Created:January 23, 2007 Updated:August 10, 2007
Description: Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.
Alerts:
Mandriva MDKSA-2007:154 xine-ui 2007-08-09
Debian DSA-1252-1 vlc 2007-01-27
Mandriva MDKSA-2007:027 xine-ui 2007-01-26
Gentoo 200701-24 vlc 2007-01-26
SuSE SUSE-SA:2007:013 xine-ui,xine-lib,xine-extra,xine-devel 2007-01-23

Comments (none posted)

xsupplicant: potential code execution

Package(s):xsupplicant CVE #(s):CVE-2006-5601
Created:January 19, 2007 Updated:January 24, 2007
Description: A post-authentication stack overflow in the EAP handling could be used by already authenticated attacker to overflow a stack buffer and so potentially execute code.
Alerts:
SuSE SUSE-SR:2007:001 xsupplicant, ulogd, dazuko 2007-01-19

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds